Slashdot Mirror
Schneier Recommends Nuclear-Style Cyberwar Hotlines, Treaties
strawberryshakes writes "Cyberwar is the new nuclear war. Bruce Schneier says governments should establish hotlines and treaties outlining the protocol surrounding cyberwar, just as they would for any other war. He wrote in the Financial Times (paywalled, but available through Google), 'A first step would be a hotline between the world’s cyber commands, modelled after similar hotlines among nuclear commands. This would at least allow governments to talk to each other, rather than guess where an attack came from. More difficult, but more important, are new cyberwar treaties. These could stipulate a no first use policy, outlaw unaimed weapons, or mandate weapons that self-destruct at the end of hostilities. The Geneva Conventions need to be updated too. Cyber weapons beg to be used, so limits on stockpiles, and restrictions on tactics, are a logical end point. International banking, for instance, could be declared off-limits. Whatever the specifics, such agreements are badly needed.'"
So what if the Chinese DDoS the internet for a while? OMG, twitter might go down!!~!eleventy!
I think the ISP's will be much more effective in fixing any problems, possibly by blocking all traffic from the offending country, if it comes down to that.
What exactly is a stockpile of cyber weapons? A room full of nerds and a case of Mountain Dew?
Cyberwar is the new nuclear war.
Gimme a break. When I see a hacker kill off 100,000 people, then I'll take that statement seriously.
Jesus Christ, hyperbole is becoming the norm these days.
How else could you trust the caller? Phones are just another form of IT.
My first reading of the headline was "Schneier recommends nuclear war." Would have been a more interesting article...
If this is going to go on for a few days, they'd better stock up on the Dew!
We could just ban the use of Windows in critical IT infrastructure.
Cyberwar is the new nuclear war.
No it's not. it used to be that nuclear weapons were out of reach for a private entity. It is not the case with cyberweapons. How do you regulate the action of the mafia or the triads ? How do you apply a treaty onto an individual ? Treaty and regulation works for limited availability weapon but for something as easy to produce, I dont see how it could work.
Jehovah be praised, Oracle was not selected
Look at the stuxnet attack on Iran last month. If that country had a more developed nuke program a hostile neighbor (country X) could have had the opportunity to co-opt their systems and launch against Israel. Israel would immediately engage in a retaliatory strike and country X would be the winner (assuming they are anti Iran and at least neutral in their relations with Israel).
Country X in this case just became a nuclear power without ever facing embargoes, or hostility from the US.
I went to battle M.C. Escher, but drew a blank.
Quick! pick up the red emergency phone and dial the 16 year old 3l33t hax0r general in charge so he can fire the scripts! For great lols!
Hmm, he seems to be seriously exaggerating the threat. Network attacks are very easy to defend against and the damage is negligible compared to a real military attack. So this is plain stupid.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
see: a taste of armageddon
It's another case of doing everything but locking and securing a sufficiently resistant cockpit door.
For justice, we must go to Don Corleone
Can we make facebook a civilian target?
Substitute smoke for electrons if that makes it more understandable and gives a better visual for the hotline idea.
Someone forgot to make a rule, that everybody will follow of course, not to mess with the IP phones used for the hotline. Can't mess with the networks they run on either!
Home of The Suki Series
Will it mean hackers and the like will be considered enemy combatants if taken prisoners? Won't they have to wear uniforms to distinguish themselves from 'terrorists'?
Too bad the black berets are already taken by the USAF. How about black hoodies?
I'm also pretty sure some will insist on including dice, wands or xkcd quotes...
"Hello, cyberwar hotline. Have you tried turning it off and back on again?"
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Aren't these just fancy encrypted telephones between superpowers? Why do they need different hotlines for different crises?
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
all your FaceBook are belong to us
"These could stipulate a no first use policy, outlaw unaimed weapons, or mandate weapons that self-destruct at the end of hostilities."
There are tons of major differences between a nuclear weapon and cyber-'weapons' .
Firstly, how do you work out who sent it? A nuclear warhead is pretty easy to track - but what about Stuxnet?
Also, civilians aren't generally capable enough to create their own nuclear weapons, they can make cyber-'weapons'.
What it'll end up with is everyone agreeing that cyber-weapons are bad and banned, then doing stuff in secret.
The solution is better security. Yes, its an impossible goal - but its still more realistic than having the president going- "Dammit! My facebook has been DDOSed. Someone get me the Kremlin!"
Schneier is assuming that in cyberwar the main actors are going to be nation-states. Look at Wikileaks; that's a form of cyberwarfare and I don't see how a hotline between the US president and the Chinese premier is going to help. We're entering a post-nation-state era, but Schneier sounds like he's using models from the 1960's.
Do you think the cyber-guerrillas will respect the Geneva convention? The international cyber-banks will be the first to go in a world-wide-cyber-war!
The cyber-dead will be strewn about the cyber-fields, and cyber-children will run in terror from cyber-napalm. WE'LL REVERT TO PRE-CYBER CIVILIZATION!
So... like today, but instead of cyber-dot, to complain about greedy corporations we'll have to go talk to our neighbors.
I find it interesting that Bruce, who is a pretty savvy guy, would suggest treaties for 'cyber warfare' that are analogous to those employed in conventional warfare. The problem is, as illustrated by the snarky remarks in this thread, is that the internet is so unlike anything else that such treaties would be pointless.
How are you going to verify that someone else is complying? Its one thing to be able to count missile silos or uranium mining operations, but how do you make sure that someone isn't researching methods for retasking criminal botnets for military purposes or preping viruses for targeted release? His suggestions are comically out of touch...
HA! I just wasted some of your bandwidth with a frivolous sig!
Tell me that the attacks both visible (from idiots like Lieberman) and less visible (from so-called "hackers") are not the signs of cyberwarfare being directed against the power of free information via Wikileaks.
Or maybe Bruce is thinking ahead at what the Internet might be like a few years down the road.
If the governments had as much control over the internet as they wanted to, these treaties might be made under the assumption that each country keeps its house in order. Much like if a bunch of Canadians took up arms and started marching on American the Canadian Government would be in hot water trying to explain that one.
Same thing here - if you can't keep your own hackers and crackers in line than you pay the consequences. It would be entirely possible to expect that kind of control over their own segregrated parts of the internet. They keep bringing up this idea of an "Internet Killswitch" in the states. That could be used to stop both incomming and outgoing attacks.
The Stuxnet went after control systems in nuclear power plants. The only thing that happened was they couldn't run - BFD.
No, that's not the only thing that happened. Stuxnet physically damaged a number of centrifuges, it prevented them from successfully enriching uranium, and its second payload appears to have been designed to cause their nuclear reactor's steam turbine to destroy itself, which would have delayed their ability to create a nuclear bomb for years.
Nuclear weapons have human controls - nothing gets launched without a human being turning keys and pressing buttons.
Sure, we're told that American nuclear weapons have human controls. But do we really know that Pakistan's missile triggers aren't connected to a computer network? That the Pakistani president doesn't have an iNuke app on his phone, with a single big red button labeled "Mumbai" glowing in the middle of the screen? Or that North Korea's weapons are air-gapped, and not just hooked to a 300 baud modem in some back room?
John
*calls FSB major*
Yo! You don't know who I am, and I'm not sure how I got your number, but there's this thing going down in the internal networks of a few dozen hospitals here, and we're tracing it back to a site in your country. Our expert will soon be on it (god willing, assuming we can find them and brief them and give them access to the binaries) but the code obfuscation and anti-reversing features are like acts of god almighty, and amusingly treated as such by the insurance companies. Could you please help us catch these crazy bastards for interrogation about the stopping key... pulling the plug? That won't work, it's a self-contained virus, bricking shit like a startled soviet-era comedian. Talk to my boss? Well, I'm not sure he knows how to deal with this... or for that matter which one of my bosses I'm supposed to call...
As (potentially) opposed to:
*calls the kr3ml1n h4x0r bünk3r (actual official name) from the American Cyber Command (actual official name)*:
Hello, we've got a massive self-replicating attack on our internal networked hospital equipment, much like the scenario we discussed a few months ago. We can't break the obfuscation, and IDA Pro gets eaten up from the inside by trying to analyze it, but you guys might have more luck with the binaries we've managed to capture. Also, some versions of the code communicates with a site in Russia - it's probably botnet nodes, but the "scary men in helicopters" protocol you spoke about using internally might work anyway.
Not to talk about the difference in reaction speed between the two.
Emotions! In your brain!
I know you are also not allowed to own unlicensed radioactive sources over a certain, minuscule, vastly smaller than the critical mass of uranium or plutonium isotopes.
What about materials in the ground? Building materials?
I know this is nitpicking, but there is uranium in many rocks. If you own a big quarry, there could be a lot of uranium, certainly above the limit you are theoretically allowed to own, in those rocks.
Or what about real estate? In some places there's no distinction between soil and underground for ownership purposes. If you own a tract of land you own all that's between the surface and the center of the earth. There's certainly enough uranium to build a bomb in that 6378 km tall inverted pyramid of rock.
He's usually a LOT more intelligent than that.
2nd - be proactive. Pass a law that requires that each ISP check the packets on their network and do NOT forward any packets that do not match the addresses they control. There, spoofing is pretty much dead.
3rd - whitelists, not blacklists. Know who you absolutely must have an Internet connection to and why. If someone is flooding your network, block everyone else. (yeah, this won't work for Amazon or eBay)
4th - it's the GOVERNMENT. Use your purchasing power to demand real improvements in security.
Back in the day... who really could launch nukes? Hell even today how many people could build a nuke... friggen governments cant even do it. So yes you could get your dozen groups communicating and that stops it from happening. You are able to talk to everyone who can do it. Very diplomatic Today on the otherhand 23 year old guys control 500,000 zombie botnets. Computer security itself is terrible to the point basically a huge number of independants have the power to do the job. So what are governments doing to open communication with these people? They are trying to identify them in order to arrest or as the usa says "the Department of Defense is prepared, based on the authority of the President, to launch [...] an actual bombing of an attack source or a cyber counterattack." This isnt diplomatic at all.
Richard Clarke in his book Cyber War calls for some of the same kinds of controls. He calls for banning attacks on civilians, especially the banking system. He also calls for arms inspectors and an obligation of nations to assist in finding the source of attacks that come from within their borders. He calls for a "Cyber War Limitation Treaty" that would also ban putting logic bombs in civilian infrastructure. I really liked this part of the book.
peace,
isaac
*calls FSB major* Yo! You don't know who I am, and I'm not sure how I got your number, but there's this thing going down in the internal networks of a few dozen hospitals here, and we're tracing it back to a site in your country. Our expert will soon be on it (god willing, assuming we can find them and brief them and give them access to the binaries) but the code obfuscation and anti-reversing features are like acts of god almighty, and amusingly treated as such by the insurance companies. Could you please help us catch these crazy bastards for interrogation about the stopping key... pulling the plug? That won't work, it's a self-contained virus, bricking shit like a startled soviet-era comedian. Talk to my boss? Well, I'm not sure he knows how to deal with this... or for that matter which one of my bosses I'm supposed to call... As (potentially) opposed to: *calls the kr3ml1n h4x0r bünk3r (actual official name) from the American Cyber Command (actual official name)*: Hello, we've got a massive self-replicating attack on our internal networked hospital equipment, much like the scenario we discussed a few months ago. We can't break the obfuscation, and IDA Pro gets eaten up from the inside by trying to analyze it, but you guys might have more luck with the binaries we've managed to capture. Also, some versions of the code communicates with a site in Russia - it's probably botnet nodes, but the "scary men in helicopters" protocol you spoke about using internally might work anyway. Not to talk about the difference in reaction speed between the two.
So you're the guy they hire to fill in where the script says [tech]!
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
If you examine your sig, you'll see that it can't possibly be true:
rule number 1 of slashdot: ANY thread can be twisted into a bash of microsoft. no exceptions.
You appear to have focused on the second part, without realizing that some threads (and indeed, whole articles) start out as microsoft bashing, and therefore can only be twisted into something other than a microsoft bash, if indeed, they can be twisted at all.
Can you be Even More Awesome?!
Not to mention nuclear war REQUIRES the resources of a government. Who is to say that a government is or knows they are responsible for an internet attack?
Brilliant! That would make critical IT infrastructure less diverse, and make it even more likely everything could be taken out with a single zero day attack.
Beware of bugs in the above code; I have only proved it correct, not tried it.
The value of my life is undefined.
Emotions! In your brain!
They keep bringing up this idea of an "Internet Killswitch" in the states. That could be used to stop both incoming and outgoing attacks.
An Internet killswitch is about as viable as a perpetual motion machine. Assuming that you could round up all the possible avenues into and out of the united states (and there are a LOT of them, not just a few major landlines), and get the collective owners to agree that a killswtich is a good idea, you can only realistically kill all traffic, since filtering is unrealistic. If you do this, you will cause far more internal economic damage than any hacking attempt could ever cause. Plus, it doesn't stop anything that is happening inside the country. (say, a Russian mob running a phishing botnet remotely.)
He isn't thinking ahead. My point was that that he is suggesting trying to think about a fundamentally new and different problem using conventional thought. You cannot realistically monitor a countries virtual military activities.
HA! I just wasted some of your bandwidth with a frivolous sig!